From: Greg Kroah-Hartman Date: Fri, 3 Oct 2025 13:20:51 +0000 (+0200) Subject: 5.10-stable patches X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=85e71b9cd267ec3fe9e7edee8a3bf7ae74e5be56;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch media-rc-fix-races-with-imon_disconnect.patch scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch series --- diff --git a/queue-5.10/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch b/queue-5.10/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch new file mode 100644 index 0000000000..6b9b49d456 --- /dev/null +++ b/queue-5.10/media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch @@ -0,0 +1,119 @@ +From 01e03fb7db419d39e18d6090d4873c1bff103914 Mon Sep 17 00:00:00 2001 +From: Duoming Zhou +Date: Wed, 17 Sep 2025 17:59:26 +0800 +Subject: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove + +From: Duoming Zhou + +commit 01e03fb7db419d39e18d6090d4873c1bff103914 upstream. + +The original code uses cancel_delayed_work() in flexcop_pci_remove(), which +does not guarantee that the delayed work item irq_check_work has fully +completed if it was already running. This leads to use-after-free scenarios +where flexcop_pci_remove() may free the flexcop_device while irq_check_work +is still active and attempts to dereference the device. + +A typical race condition is illustrated below: + +CPU 0 (remove) | CPU 1 (delayed work callback) +flexcop_pci_remove() | flexcop_pci_irq_check_work() + cancel_delayed_work() | + flexcop_device_kfree(fc_pci->fc_dev) | + | fc = fc_pci->fc_dev; // UAF + +This is confirmed by a KASAN report: + +================================================================== +BUG: KASAN: slab-use-after-free in __run_timer_base.part.0+0x7d7/0x8c0 +Write of size 8 at addr ffff8880093aa8c8 by task bash/135 +... +Call Trace: + + dump_stack_lvl+0x55/0x70 + print_report+0xcf/0x610 + ? __run_timer_base.part.0+0x7d7/0x8c0 + kasan_report+0xb8/0xf0 + ? __run_timer_base.part.0+0x7d7/0x8c0 + __run_timer_base.part.0+0x7d7/0x8c0 + ? __pfx___run_timer_base.part.0+0x10/0x10 + ? __pfx_read_tsc+0x10/0x10 + ? ktime_get+0x60/0x140 + ? lapic_next_event+0x11/0x20 + ? clockevents_program_event+0x1d4/0x2a0 + run_timer_softirq+0xd1/0x190 + handle_softirqs+0x16a/0x550 + irq_exit_rcu+0xaf/0xe0 + sysvec_apic_timer_interrupt+0x70/0x80 + +... + +Allocated by task 1: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + __kasan_kmalloc+0x7f/0x90 + __kmalloc_noprof+0x1be/0x460 + flexcop_device_kmalloc+0x54/0xe0 + flexcop_pci_probe+0x1f/0x9d0 + local_pci_probe+0xdc/0x190 + pci_device_probe+0x2fe/0x470 + really_probe+0x1ca/0x5c0 + __driver_probe_device+0x248/0x310 + driver_probe_device+0x44/0x120 + __driver_attach+0xd2/0x310 + bus_for_each_dev+0xed/0x170 + bus_add_driver+0x208/0x500 + driver_register+0x132/0x460 + do_one_initcall+0x89/0x300 + kernel_init_freeable+0x40d/0x720 + kernel_init+0x1a/0x150 + ret_from_fork+0x10c/0x1a0 + ret_from_fork_asm+0x1a/0x30 + +Freed by task 135: + kasan_save_stack+0x24/0x50 + kasan_save_track+0x14/0x30 + kasan_save_free_info+0x3a/0x60 + __kasan_slab_free+0x3f/0x50 + kfree+0x137/0x370 + flexcop_device_kfree+0x32/0x50 + pci_device_remove+0xa6/0x1d0 + device_release_driver_internal+0xf8/0x210 + pci_stop_bus_device+0x105/0x150 + pci_stop_and_remove_bus_device_locked+0x15/0x30 + remove_store+0xcc/0xe0 + kernfs_fop_write_iter+0x2c3/0x440 + vfs_write+0x871/0xd70 + ksys_write+0xee/0x1c0 + do_syscall_64+0xac/0x280 + entry_SYSCALL_64_after_hwframe+0x77/0x7f +... + +Replace cancel_delayed_work() with cancel_delayed_work_sync() to ensure +that the delayed work item is properly canceled and any executing delayed +work has finished before the device memory is deallocated. + +This bug was initially identified through static analysis. To reproduce +and test it, I simulated the B2C2 FlexCop PCI device in QEMU and introduced +artificial delays within the flexcop_pci_irq_check_work() function to +increase the likelihood of triggering the bug. + +Fixes: 382c5546d618 ("V4L/DVB (10694): [PATCH] software IRQ watchdog for Flexcop B2C2 DVB PCI cards") +Cc: stable@vger.kernel.org +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/b2c2/flexcop-pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/pci/b2c2/flexcop-pci.c ++++ b/drivers/media/pci/b2c2/flexcop-pci.c +@@ -411,7 +411,7 @@ static void flexcop_pci_remove(struct pc + struct flexcop_pci *fc_pci = pci_get_drvdata(pdev); + + if (irq_chk_intv > 0) +- cancel_delayed_work(&fc_pci->irq_check_work); ++ cancel_delayed_work_sync(&fc_pci->irq_check_work); + + flexcop_pci_dma_exit(fc_pci); + flexcop_device_exit(fc_pci->fc_dev); diff --git a/queue-5.10/media-rc-fix-races-with-imon_disconnect.patch b/queue-5.10/media-rc-fix-races-with-imon_disconnect.patch new file mode 100644 index 0000000000..2c02fcd2de --- /dev/null +++ b/queue-5.10/media-rc-fix-races-with-imon_disconnect.patch @@ -0,0 +1,160 @@ +From fa0f61cc1d828178aa921475a9b786e7fbb65ccb Mon Sep 17 00:00:00 2001 +From: Larshin Sergey +Date: Tue, 29 Jul 2025 13:13:32 +0300 +Subject: media: rc: fix races with imon_disconnect() + +From: Larshin Sergey + +commit fa0f61cc1d828178aa921475a9b786e7fbb65ccb upstream. + +Syzbot reports a KASAN issue as below: +BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] +BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 +Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 + +CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +Call Trace: + +__dump_stack lib/dump_stack.c:88 [inline] +dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 +print_address_description mm/kasan/report.c:317 [inline] +print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 +kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 +__create_pipe include/linux/usb.h:1945 [inline] +send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 +vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991 +vfs_write+0x2d7/0xdd0 fs/read_write.c:576 +ksys_write+0x127/0x250 fs/read_write.c:631 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The iMON driver improperly releases the usb_device reference in +imon_disconnect without coordinating with active users of the +device. + +Specifically, the fields usbdev_intf0 and usbdev_intf1 are not +protected by the users counter (ictx->users). During probe, +imon_init_intf0 or imon_init_intf1 increments the usb_device +reference count depending on the interface. However, during +disconnect, usb_put_dev is called unconditionally, regardless of +actual usage. + +As a result, if vfd_write or other operations are still in +progress after disconnect, this can lead to a use-after-free of +the usb_device pointer. + +Thread 1 vfd_write Thread 2 imon_disconnect + ... + if + usb_put_dev(ictx->usbdev_intf0) + else + usb_put_dev(ictx->usbdev_intf1) +... +while + send_packet + if + pipe = usb_sndintpipe( + ictx->usbdev_intf0) UAF + else + pipe = usb_sndctrlpipe( + ictx->usbdev_intf0, 0) UAF + +Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by +checking ictx->disconnected in all writer paths. Add early return +with -ENODEV in send_packet(), vfd_write(), lcd_write() and +display_open() if the device is no longer present. + +Set and read ictx->disconnected under ictx->lock to ensure memory +synchronization. Acquire the lock in imon_disconnect() before setting +the flag to synchronize with any ongoing operations. + +Ensure writers exit early and safely after disconnect before the USB +core proceeds with cleanup. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Reported-by: syzbot+f1a69784f6efe748c3bf@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=f1a69784f6efe748c3bf +Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver") +Cc: stable@vger.kernel.org + +Signed-off-by: Larshin Sergey +Signed-off-by: Sean Young +Signed-off-by: Hans Verkuil +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/imon.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +--- a/drivers/media/rc/imon.c ++++ b/drivers/media/rc/imon.c +@@ -536,7 +536,9 @@ static int display_open(struct inode *in + + mutex_lock(&ictx->lock); + +- if (!ictx->display_supported) { ++ if (ictx->disconnected) { ++ retval = -ENODEV; ++ } else if (!ictx->display_supported) { + pr_err("display not supported by device\n"); + retval = -ENODEV; + } else if (ictx->display_isopen) { +@@ -598,6 +600,9 @@ static int send_packet(struct imon_conte + int retval = 0; + struct usb_ctrlrequest *control_req = NULL; + ++ if (ictx->disconnected) ++ return -ENODEV; ++ + /* Check if we need to use control or interrupt urb */ + if (!ictx->tx_control) { + pipe = usb_sndintpipe(ictx->usbdev_intf0, +@@ -954,12 +959,14 @@ static ssize_t vfd_write(struct file *fi + static const unsigned char vfd_packet6[] = { + 0x01, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF }; + +- if (ictx->disconnected) +- return -ENODEV; +- + if (mutex_lock_interruptible(&ictx->lock)) + return -ERESTARTSYS; + ++ if (ictx->disconnected) { ++ retval = -ENODEV; ++ goto exit; ++ } ++ + if (!ictx->dev_present_intf0) { + pr_err_ratelimited("no iMON device present\n"); + retval = -ENODEV; +@@ -1034,11 +1041,13 @@ static ssize_t lcd_write(struct file *fi + int retval = 0; + struct imon_context *ictx = file->private_data; + +- if (ictx->disconnected) +- return -ENODEV; +- + mutex_lock(&ictx->lock); + ++ if (ictx->disconnected) { ++ retval = -ENODEV; ++ goto exit; ++ } ++ + if (!ictx->display_supported) { + pr_err_ratelimited("no iMON display present\n"); + retval = -ENODEV; +@@ -2502,7 +2511,11 @@ static void imon_disconnect(struct usb_i + int ifnum; + + ictx = usb_get_intfdata(interface); ++ ++ mutex_lock(&ictx->lock); + ictx->disconnected = true; ++ mutex_unlock(&ictx->lock); ++ + dev = ictx->dev; + ifnum = interface->cur_altsetting->desc.bInterfaceNumber; + diff --git a/queue-5.10/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch b/queue-5.10/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch new file mode 100644 index 0000000000..2366abcbd8 --- /dev/null +++ b/queue-5.10/scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch @@ -0,0 +1,47 @@ +From 27e06650a5eafe832a90fd2604f0c5e920857fae Mon Sep 17 00:00:00 2001 +From: Wang Haoran +Date: Sat, 20 Sep 2025 15:44:41 +0800 +Subject: scsi: target: target_core_configfs: Add length check to avoid buffer overflow + +From: Wang Haoran + +commit 27e06650a5eafe832a90fd2604f0c5e920857fae upstream. + +A buffer overflow arises from the usage of snprintf to write into the +buffer "buf" in target_lu_gp_members_show function located in +/drivers/target/target_core_configfs.c. This buffer is allocated with +size LU_GROUP_NAME_BUF (256 bytes). + +snprintf(...) formats multiple strings into buf with the HBA name +(hba->hba_group.cg_item), a slash character, a devicename (dev-> +dev_group.cg_item) and a newline character, the total formatted string +length may exceed the buffer size of 256 bytes. + +Since snprintf() returns the total number of bytes that would have been +written (the length of %s/%sn ), this value may exceed the buffer length +(256 bytes) passed to memcpy(), this will ultimately cause function +memcpy reporting a buffer overflow error. + +An additional check of the return value of snprintf() can avoid this +buffer overflow. + +Reported-by: Wang Haoran +Reported-by: ziiiro +Signed-off-by: Wang Haoran +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_configfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_configfs.c ++++ b/drivers/target/target_core_configfs.c +@@ -2637,7 +2637,7 @@ static ssize_t target_lu_gp_members_show + config_item_name(&dev->dev_group.cg_item)); + cur_len++; /* Extra byte for NULL terminator */ + +- if ((cur_len + len) > PAGE_SIZE) { ++ if ((cur_len + len) > PAGE_SIZE || cur_len > LU_GROUP_NAME_BUF) { + pr_warn("Ran out of lu_gp_show_attr" + "_members buffer\n"); + break; diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 0000000000..d438dae8a6 --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,3 @@ +scsi-target-target_core_configfs-add-length-check-to-avoid-buffer-overflow.patch +media-b2c2-fix-use-after-free-causing-by-irq_check_work-in-flexcop_pci_remove.patch +media-rc-fix-races-with-imon_disconnect.patch